Method and system for accelerating the deterministic enciphering of data in a small domain

ABSTRACT

Conventional block ciphers that traffic in 128-bit block sizes are ill-suited for operating in small domains like credit card numbers. Some embodiments relate to techniques for constructing and speeding up practical and provably secure schemes for deterministically enciphering data from a small domain like credit card numbers using a conventional block cipher or other pseudorandom function.

RELATED APPLICATION

This application hereby claims priority under 35 U.S.C.§119 to U.S.Provisional Application 61/164,660 entitled “Thorp Mode Encryption,” byBenjamin J. Morris, Philip Rogaway, Terence Spies, and Till Stegers,filed Mar. 30, 2009, which is herein incorporated by reference.

BACKGROUND

1. Field

The present embodiments relate to cryptographic techniques forconstructing a blockcipher-based encryption scheme. More specifically,the present embodiments relate to techniques for constructing fast andprovably secure schemes for deterministically enciphering data from asmall domain, like credit card numbers, using a conventional blockcipher.

2. Related Art

Imagine wanting to encrypt a nine-decimal-digit plaintext, such as aU.S. Social Security number, into a ciphertext that is also anine-decimal-digit number. This operation is useful for storing theciphertext in the same record structure as the plaintext. Moderncryptographic techniques typically assume the plaintext input to a blockcipher has a block size of 128 bits and that the block cipher outputs aciphertext of 128 bits. Unfortunately, nine-decimal-digit plaintextinput and nine-decimal-digit ciphertext output are incompatible with ablock size of 128 bits.

One could imagine attempting to construct the desired scheme directly,by modifying a known primitive, but such constructions have manyshortcomings. For example, one could modify the definition of theAdvanced Encryption Standard (AES) so that it would take in anine-decimal-digit plaintext and output a ciphertext that is also anine-decimal-digit number. But both the specification andimplementations of AES have been carefully crafted, and thespecification has been in the public domain for a considerable time, soa modified version of AES would need careful study by manycryptographers to determine whether the level of security believed to beprovided by AES was compromised. As such, it is neither feasible nordesirable to employ such an approach.

In an alternative approach, rather than modifying AES, one could embedthe nine-decimal-digit plaintext one wants to encrypt into a 128-bitstring, and then invoke AES. Because AES returns a 128-bit string, theoutput would have to be mapped back into a nine-decimal-digit number.But it is impossible to encode a 128-bit string into nine decimaldigits, since 2¹²⁸>10⁹.

Is it really a problem if one cannot encrypt nine-decimal-digit numbersinto nine-decimal-digit numbers? Consider a database of U.S. SocialSecurity numbers. Suppose one wished to silently replace all of theSocial Security numbers with encrypted Social Security numbers. UsingAES to produce an output of 128 bits and using this in place of thenine-decimal-digit numbers would break existing applications that accessand manipulate U.S. Social Security numbers, because such applications,expecting nine-decimal-digit strings, are now faced with 128-bit binarystrings instead. Further, the database schema for each table containingU.S. Social Security numbers would need to be changed to support adifferent data type, and dependent applications would need to bemodified accordingly. Conventional block ciphers like AES are,therefore, not directly usable to encrypt on small domains of practicalinterest, because these techniques send 128-bit inputs to 128-bitoutputs.

Hence, what is needed is a cryptographic technique to encipher elementsfrom a small domain into elements of the same small domain.

SUMMARY

The present embodiments provide a practical system for enciphering inputdata drawn from a small domain into output data that is also drawn fromthe same domain. The system can be based on a conventional block cipher.Further, the system's process of enciphering can be sped upsignificantly to reduce the number of invocations of a conventionalblock cipher that are needed. Finally, the system is practical and canenjoy provable security guarantees.

In some embodiments, the small domain that can be enciphered is the setof credit card numbers or the set of U.S. Social Security numbers. Ingeneral, the domain can be the set of all strings of some fixed lengthn, where each string consists of base-k characters for some k≧2.

In some embodiments, the system's process of enciphering elements from asmall domain can be likened to shuffling cards. Each step in theenciphering process is analogous to shuffling a deck of cards. Each cardrepresents a message with the domain of the cipher.

In some embodiments, the system's process of enciphering can be sped upby five times compared to a more naïve embodiment.

In some embodiments, the system's process of enciphering can be sped upby two times compared to a more naïve embodiment.

In some embodiments, a conventional block cipher like AES (the AdvancedEncryption Standard) is used to implement a pseudorandom function thatgenerates pseudorandom bits and is used internally within theembodiment.

In some embodiments, the obliviousness property of a card shuffle—theproperty of a shuffle that you can trace the trajectory of a cardwithout attending to the trajectories of other cards—is the basis of theencryption scheme that is subject to the speed-up technique.

BRIEF DESCRIPTION OF THE FIGURES

FIG. 1 shows two examples of domains for small-space encryption inaccordance with an embodiment.

FIG. 2 shows the major components of an implementation of a cipher E inaccordance with an embodiment.

FIG. 3 shows a detailed example of how to encrypt a value drawn from thedomain of playing cards numbered 0, . . . , 7 to another value in thesame domain in accordance with an embodiment.

FIGS. 4A-4B show a detailed example illustrating the speed-upoptimization to perform five rounds of enciphering using a single callto the underlying pseudorandom function in accordance with anembodiment.

FIG. 5 shows a flowchart illustrating the process of performing fiverounds of enciphering using a single call to the underlying pseudorandomfunction as a way of speeding up the process of enciphering for n-bitinput strings in accordance with an embodiment.

FIG. 6 illustrates the process of encrypting a U.S. Social Securitynumber to another number in the same domain in accordance with anembodiment.

FIG. 7 shows a flowchart illustrating the process of performing tworounds of enciphering using a single call to the underlying pseudorandomfunction as a way-of speeding up the process of enciphering forn-decimal-digit input strings in accordance with an embodiment.

FIG. 8 illustrates the general process of encrypting a message in theformat of an n-character input string where the character is base-kthrough p phases of enciphering in accordance with an embodiment.

FIG. 9 illustrates the process of invoking a choice function on theinput register and the speed-up register to return a pseudorandomcharacter string in accordance with an embodiment.

Table 1 illustrates the Thorp shuffle technique with the obliviousnessproperty in which only card seven is shuffled through four rounds inaccordance with an embodiment.

Table 2 illustrates how the enciphering system concatenates bits fromthe input string to index into a speed-up register to obtain a randombit in accordance with an embodiment.

Table 3 illustrates some example parameter sets in accordance with anembodiment.

In the figures, like reference numerals refer to the same figureelements. Moreover, multiple instances of the same type of part may bedesignated by a common prefix separated from an instance number by adash.

DETAILED DESCRIPTION

The following description is presented to enable any person skilled inthe art to make and use the present embodiments, and is provided in thecontext of a particular application and its requirements. Variousmodifications to the disclosed embodiments will be readily apparent tothose skilled in the art, and the general principles defined herein maybe applied to other embodiments and applications without departing fromthe spirit and scope of the present embodiments. Thus, the presentembodiments are not limited to the embodiments shown, but are to beaccorded the widest scope consistent with the principles and featuresdisclosed herein.

The data structures and code described in this detailed description aretypically stored on a computer-readable storage medium, which may be anydevice or medium that can store code and/or data for use by a computersystem. The computer-readable storage medium includes, but is notlimited to, volatile memory, non-volatile memory, magnetic and opticalstorage devices such as disk drives, magnetic tape, CDs (compact discs),DVDs (digital versatile discs or digital video discs), or other mediacapable of storing computer-readable media now known or later developed.

The methods and processes described in the detailed description sectioncan be embodied as code and/or data, which can be stored in a computerreadable storage medium as described above. When a computer system readsand executes the code and/or data stored on the computer-readablestorage medium, the computer system performs the methods and processesembodied as data structures and code and stored within thecomputer-readable storage medium. Furthermore, the methods and processesdescribed below can be included in hardware modules. For example, thehardware modules can include, but are not limited to,application-specific integrated circuit (ASIC) chips, field-programmablegate arrays (FPGAs), and other programmable-logic devices now known orlater developed. When the hardware modules are activated, the hardwaremodules perform the methods and processes included within the hardwaremodules.

Embodiments provide a method and system for deterministicallyenciphering plaintext in a small domain such as U.S. Social Securitynumbers or credit card numbers into a ciphertext in the same domain.More generally, embodiments provide a method and system fordeterministically enciphering plaintext in a small domain consisting ofall strings of identical length over some finite alphabet.

FIG. 1 shows two examples of systems that operate in small domains inaccordance with some embodiments. The first system enciphers a16-decimal-digit credit card number 102, the plaintext, into aciphertext 104 that is also a 16-decimal-digit number. The second systemis an example of a database of Social Security numbers 106 stored in atable of the database. In this example, the system enciphers eachnine-decimal-digit U.S. Social Security number into a ciphertext that isalso a nine-decimal-digit number, which looks just like another SocialSecurity number. The ciphertext result is stored in place of theoriginal Social Security number, updating the corresponding field in thedatabase table. It is also possible to decipher each such SocialSecurity number ciphertext to recover the original upon retrieval fromthe database. Another example of a small domain (not shown) is pieces ofcredit card numbers in which, say, the last five digits are shown in theclear and the first 11 digits are encrypted in accordance with anembodiment. These examples are not meant to limit the scope of thepresent invention but serve to illustrate their possible domains of use.

The examples given are a special case of “format-preserving encryption”(FPE). In an FPE scheme, encryption is deterministic and the format ofthe ciphertext is identical to that of the plaintext. The advantage ofFPE is that it simplifies adding encryption to systems with legacy datalike the database because field types for the legacy data need not bechanged when the data is enciphered.

In the systems illustrated in FIG. 1 we show a box labeled E_(KT), theenciphering system, which takes an input string such as a credit cardnumber or a U.S. Social Security number and returns its respectiveenciphered output. More specifically, we define a cipher, a map

:

×

×

→

where

,

and

are finite non-empty sets and where

is a permutation on

for every K ε

and T ε

The set

is the key space, the set

the tweak space, and the set

is the domain. The shared key K controls the encryption. Both the keyspace and the domain are sets of strings drawn from an arbitraryalphabet (a finite, non-empty set of characters). The elements of set

are called plaintexts, or messages, and the number of them is denoted by|

|=N.

The tweak space is a set of arbitrary byte strings. The set

should be large enough to accommodate all non-secret information thatmay be associated with a plaintext. Users are strongly encouraged toemploy tweaks whenever possible, as their judicious use cansignificantly increase security. The intuition behind using a tweak inan FPE scheme is that we want knowledge of where a plaintext maps tounder a tweak T does no good in trying to figure out where the same oreven all plaintexts maps to under a different tweak T′.

The cipher

should have following properties: (1) given a key and a tweak, it isbijective, that is, it is a one-to-one and onto function; (2) it isdeterministic—it does not depend on any internal randomness or “coins;”(3) it is practical—meaning that it is simple and fast to compute; and(4) it is provably secure—meaning that a proof is known that provides asignificant assurance that it is a good pseudorandom permutation. Insaying that

is a good pseudorandom permutation we mean that a black box forcomputing

with respect to a random key K ε

looks to an adversary with reasonable computational means like a familyof independent random permutations on

indexed by tweaks in the tweak space.

In one or more embodiments, if the domain

is the space of U.S. Social Security numbers, then

={0, 1, . . . , N-1}, and N=10⁹. FIG. 1 shows encrypting a SocialSecurity number in terms of the cipher via

, K, T, 348-88-2346)=234-60-6477 (where hyphens are retained to showthat the ciphertext is a U.S. Social Security number). In one or moreembodiments, if the domain

is the space of 16-digit credit card numbers, then

={0, 1, . . . , N-1}, where N=10¹⁶. Further, FIG. 1 shows encrypting acredit card number in terms of the cipher via E(K, T, 4000 1234 56789123)=5887 3229 0447 4263.

FIG. 2 shows the major components of an implementation of a cipher

in one embodiment of the present invention. The components implement atweaked pseudorandom permutation on

for every key in

and every tweak in

The cipher

mechanism receives three arguments as inputs, namely a “Key” 202, a“Plaintext” 204, such as a credit card number or a U.S. Social Securitynumber, and a “Tweak” 206. The “Plaintext” 204 is stored in ann-character register 208. “Key” 202 is an element of the set of keys

, which may be defined as a set of 128-bit strings, where

is the set of keys of the pseudorandom function. “Tweak” 206 is anelement of the set of tweaks

which contains strings of bytes drawn from the set BYTE^(≦j) whereJ=2⁶⁴1 and BYTE denotes {0,1}⁸, the set of 8-bit bytes. Note thatcharacters are the most general format because they include bits,decimal digits, and hexadecimal digits, to name a few. The pseudorandomfunction 210 is the key to making the cipher practical and realizable;the function takes a round number, the key “Key” 202, and the tweak“Tweak” 206 and outputs a fixed-length pseudorandom base-k characterstring. In one embodiment, this pseudorandom function 210 can beconstructed from the CBC-MAC of AES (Advanced Encryption Standard). Inyet another variation, the pseudorandom function 210 can be implementedusing CMAC. In another variation, the key K itself can be a 128-bitquantity, a 192-bit or even a 256-bit quantity, depending on the levelof security desired.

The “combining function” 212 takes a pair of equal length strings andreturns a string of the same length. In one embodiment, when messagesare bit strings, the combining function may be modulo-2 addition, alsoknown as exclusive-or. In another embodiment, when messages are decimalstrings, the combining function is modulo-10 addition. In the generalembodiment, the combining function 212 may be modulo-k addition forbase-k characters. The output of the cipher

200 as a result of performing the computation 212 is “Ciphertext” 216,which is in the same domain as the input “Plaintext” 204.

What is the reason for including a tweak in the cipher

? Suppose we are enciphering the six middle digits of a 16-digit creditcard number; the remaining ten digits are to be left in the clear. If weuse a deterministic and tweakless scheme, there is a danger that anadversary might be able to create, by noncryptographic means, anunnecessarily useful dictionary of plaintext/ciphertext pairs (X, Y),where X is a 6-digit number and Y is its encryption. Eachplaintext/ciphertext pair (X, Y) that the adversary somehow obtains(acquired, for example, by a phishing attack) would let the adversarydecrypt every credit card number that happens to have those same sixmiddle digits. Note that in a database of 100 million entries we wouldexpect about 100 credit card numbers to share any given six middledigits. Learning k credit card numbers and possessing an encrypteddatabase ought not give you 100° k. more credit card numbers for free.

The problem is not a cryptographic failure, but a failure to use a goodtool well. The middle-six digits ought to have been tweaked by theremaining ten. If this had been done then learning the credit cardnumber 1234-123456-9876 encrypts to 1234-770611-9876, say, would not letone decrypt 1111-770611-9999, as the mapping of 123456 to 770611 isspecific to the surrounding digits 1234/9876.

In general, it is desirable to use all information that is available andstatically associated to a plaintext as a tweak for that plaintext. Inthe most felicitous setting of all, the non-secret tweak associated to aplaintext is associated only to that plaintext. Extensive tweaking meansthat fewer plaintexts are enciphered under any given tweak. Thiscorresponds, in the pseudorandom function model we have adopted, tofewer queries to the target instance. The relevant metric is the maximumnumber of plaintexts enciphered with the same tweak, which is likely tobe significantly less than the total number of plaintexts enciphered.

To implement the cipher

, we need a representation of a message (the plaintext) and a procedureto “mix” the key K with the message. To be deterministic, practical andprovably secure, the cipher

can be based on the idea of shuffling a deck of cards. Shuffling isequivalent to generating a random permutation of the cards. There aretwo basic algorithms for doing this. The first is simply to assign arandom number to each card, and then to sort the cards in order of theirrandom numbers. This will generate a random permutation, unless two ofthe random numbers generated are the same. This can be eliminated eitherby retrying these cases, or reduced to an arbitrarily low probability bychoosing a sufficiently wide range of random number choices. The second,generally known as the Knuth shuffle or Fisher-Yates shuffle, is alinear-time algorithm, which involves moving through the pack from topto bottom, swapping each card in turn with another card from a randomposition in the part of the pack that has not yet been passed through(including itself). Providing that the random numbers are unbiased, thiswill always generate a random permutation.

A variation on these algorithms is the Thorp shuffle, where the deck iscut into two equal-sized piles. Intuitively, cipher

encrypts by “shuffling” a set of messages using Thorp's method, wherethese messages can be thought of as cards in a large deck. Consider sucha deck of N cards where N is even. We wish to shuffle all the cards inthe deck. First, cut the deck into two equal piles. Second, according tothe outcome of a fair coin flip, drop the bottom card from either theleft or right pile, and then drop the card from the bottom of the otherpile. Continue in this way, flipping a total of N/2 independent coins,using each to decide if cards are dropped left-then-right orright-then-left, until there are no more cards. This is one round of theshuffle in which all cards from the two decks have been shuffled backinto a single deck. Cut the deck again into two equal-sized piles andrepeat the shuffle procedure for as many rounds as needed to mix thecards sufficiently.

To see the Thorp shuffle in action, imagine that the single deck ofcards has been cut into two decks: one deck is labeled “deck 1” (leftpile) and the second deck is labeled “deck 2” (right pile). In thisunusual deck there are only eight cards, each labeled with a number 0,1, 2, 3, 4, 5, 6, and 7. Consider the Thorp shuffle with 4 rounds onthis deck of cards. Cards 0-3 are in deck 1, and cards 4-7 are in deck2.

Consider the pair of cards 0 and 4 at the bottom of each deck. Toshuffle the deck, how do we decide in which order to drop the bottomcards? Do we drop card 0 and then card 4? Or, do we drop card 4 firstand then card 0? Flipping a fair coin makes this determination: forexample, “heads” (coin flip=0) means drop left-then-right and “tails”(coin flip=1) means drop right-then-left. For card pair (0, 4) we flip acoin; it comes up “heads,” so we drop card 0, and then drop card 4. Thenew deck being formed has card 0 at the bottom with card 4 on top of it.For each pair of remaining cards (1,5), (2,6) and (3,7), we flip a coin.Let us assume that “tails” is associated with (1,5), “tails” with (2,6)and “heads” with (3,7).

After performing the drop procedure for each pair of cards associatedwith each coin flip, the new deck is shown viewed from left to rightinstead of bottom to top: 0 4 5 1 6 2 3 7. After one round, the entiredeck of eight cards has been shuffled using four independent coin flips.If we define a minimum, called a pass, as ┌ log₂ N┐ then the totalnumber of coin flips used in a pass is ┌ log₂ N┐·N/2. Here ┌·┐ computesthe ceiling function such that ┌x┐ is the smallest integer not less thanx. The Thorp shuffle can mix the deck well after a small number ofpasses.

Whenever N cards are shuffled in this fashion, all the cards are beingshuffled at the same time. Yet, it is possible to trace the route of anygiven card in the deck through each successive round of the shufflewithout attending to the remaining cards in the deck. The Thorp shuffleis said to be oblivious to other cards in the deck in that one can focuson the route a single card takes as it is shuffled in multiple rounds;one need not be concerned with the route of other cards. An embodimentof the present invention leverages this obliviousness property of theThorp shuffle: a sufficient number of rounds that mix the cards quicklyenough makes encrypting over small domains practical and feasible.

To explain the obliviousness property of the Thorp shuffle, consider thesame deck of eight cards in its original configuration: 0 1 2 3 4 5 6 7.Employing the obliviousness property, we can ignore seven of the cardsand consider just shuffling card 7 in the deck. Alternatively, think of“encrypting” 7 by applying the Thorp shuffle and only looking at theroute of 7 during the course of the shuffle. Table 1 shows the Thorpshuffle oblivious to all but card 7. Given the coin flips tails (1),heads (0), tails (1), and heads (0) for the pairs in which card 7 isinvolved, the four rounds of shuffling show that card 7 ends at position4 (numbering the positions in the horizontal deck from 0 to 7). Thus,the result of encrypting 7 is 4 or

(K, T, 7)=4 for some K and T. The cards we do not care about are labeledwith an asterisk “*” to focus our attention on 7. Note that 4 is drawnfrom the same domain as 7, namely

={0, . . . , N-1}, where N=8.

TABLE 1 Thorp Shuffle (Compute E(K, T, 7) = 4) Card position Roundnumber 0 1 2 3 4 5 6 7 Coin flips * * * * * * * 7 1 * * * * * * 7 *Tails (1) right-then-left 2 * * * * * 7 * * Heads (0) left-then-right3 * * 7 * * * * * Tails (1) right-then-left 4 * * * * 7 * * * Heads (0)left-then-right

The Thorp shuffle, due to its obliviousness, provides a practical methodto encrypt messages over small domains. To implement the shuffle, andtherefore the cipher

, we need (1) a representation of the messages in space

; and (2) a function that realizes uniform random coin flips.

First, we represent all messages in space

, or the cards in the deck, by strings of the same length n over somefixed alphabet. In one embodiment, where N=2″, messages are representedas a n-bit strings, so that for instance card 7 in the shuffle would berepresented by the binary string 111. In general, if N=k^(n), then eachmessage in

={0, . . . , k^(n)-1} a string of n base-k digits.

Second, to implement the behavior of fair coin flips, we make use of apseudorandom function family. The function (family) is said to bepseudorandom because it possesses the property that the input-outputbehavior of an instance of the family of such functions determined by arandom key is computationally indistinguishable from a random functionwith the same signature. In an embodiment over an alphabet Σ thesignature of this pseudorandom function is

:

×

×

→{0,1}, that is, given a key, a tweak, a round number, and a message,the function returns a pseudorandom bit of 0 or 1.

The key space

is identical to the key space of the cipher

. For a key K, we use the notation

κ(·) rather than

(K, ·) to indicate a pseudorandom function keyed with key K. The totalnumber of random bits needed to shuffle a single card for R rounds is Rbits, not (N/2)·R bits which would be needed to shuffle the entire deck.(The property of being able to follow the trajectory of a single cardwithout attending to all the other cards is called obliviousness.) Table1 shows R=4 rounds of the shuffle, and that four random bits are neededto implement the four coin flips. In a naive embodiment, the invocationof the pseudorandom function on each round returns a pseudorandom bit.The reason the round number is included as an argument to thepseudorandom function is to ensure that the pseudorandom bits are indeedgenerated independently for different rounds. The reason the tweak isincluded is ensure that the encryption processes for different tweaks,even for the same plaintext, are independent.

In one or more embodiments, the pseudorandom function

could be implemented using the CBC-MAC of AES, the Advanced EncryptionStandard. The CBC-MAC is a well-known method for using the Cipher BlockChaining mode of operation to turn a block cipher into a MessageAuthentication Code (MAC). When implemented using the CBC-MAC, thefunction

must be constructed in such a way that the set of inputs on which theCBC-MAC is invoked is prefix-free, that is, for any distinct inputs x,y, x is not a prefix of y. This is because the CBC-MAC is known to be agood pseudorandom function when invoked on a set of prefix-free inputs,assuming that the underlying block cipher is a good pseudorandom randompermutation. In addition to the CBC-MAC, the pseudorandom function couldalso be implemented using the CMAC mode of operation.

The pseudorandom function

typically needs to make only a single AES call per pseudorandom functioninvocation, provided the tweak has been preprocessed. Note that an AEScall returns a 128-bit string. The pseudorandom function

will pick one of these 128 bits and return just one bit; in oneembodiment function

returns bit 127. This is reasonable and practical because all 128 bitsare guaranteed to be pseudorandom and, therefore, any bit chosen ispseudorandom.

FIG. 3 illustrates a practical realization of the Thorp shuffle on a bitstring of length n=3 in accordance with some embodiments. In thisexample illustrating an embodiment where N=8=2³ and R=4, we trace theencryption of 7 (in binary, 111). We show that in this example theencryption yields

_(KT)(7)=4 (300), just as we showed using cards. Note that the notationwhere “KT” is a subscript of cipher

indicates that the computation relies on the key K and the tweak T,which remain unchanged during the computation performed by

Suppose that bit string 111 is stored in an n-bit register called reg302. The string is divided into two parts: reg[0] (the left side) andreg[1 . . . 2] (the right side).

In round 1 (312), the system invokes the pseudorandom function

_(K) 304 with the round number 1 and the value of reg[1 . . . 2]=11 asthe arguments and outputs a pseudorandom bit

_(K) (r=1, x=11)=1. The system computes the exclusive-or (which is oneembodiment of the combining function 212 shown in FIG. 2) of thispseudorandom bit with the value of reg[0] and outputs the 1-bit value 1xor 1=0. Then the system concatenates reg[1 . . . 2] (right side) withthe value 0 output by the combining function 212, resulting in thestring 11∥10. This concatenated result is stored in reg. After oneround, the new state is 110, or 6 in decimal, which can be seen in thenew state of the n-bit register 310. Following the same procedureoutlined above for each subsequent round, at the end of round 2 (314),the original plaintext 7 has been encrypted to the value 5 (316), afterround 3 (318) to 2 (320), and, finally, after round 4 (322) to 4 (324),the value we expected and the same value returned in the Thorp shuffleof card 7.

For every round of the shuffle in this particular embodiment, thepseudorandom function

invokes the CBC-MAC of AES exactly once. This is because the CBC-MAC ofthe tweak can be cached, utilizing the fact that CBC-MAC_(K)(0,X₁∥X₂)=CBC-MAC_(K)(CBC-MAC_(K)(0, X₁), X₂), where CBC-MAC_(K)(V, X)denotes the CBC-MAC of a sequence of blocks X starting withinitialization vector V. With this preprocessing in mind, we refer tosuch a CBC-MAC invocation also as an AES call or AES invocation. EachCBC-MAC invocation returns an independent pseudorandom 128-bit string,ensuring that different rounds behave independently—but only 1pseudorandom bit is returned by the pseudorandom function

_(K). Because the computation required for each AES call is potentiallyexpensive, it seems especially wasteful that the above procedure onlyuses 1 bit for each round when 128 bits are available. In anotherembodiment of the present invention, these 128 bits from one AES callcan be shared by multiple rounds. In particular, if n≧5 for N=2^(n),then for each group of five rounds—called a phase—only one AES call isrequired. Each round uses a different non-overlapping 16-element subsetof these same 128 bits to provide separation between different rounds.In particular, this embodiment of the optimization uses 5·2⁴=80 bits ofthe 128 bits returned from the AES call. This is where the speed-upoptimization comes into play—we avoid the expense of calling AES in eachround and amortize its cost over five rounds, at the low price of someadditional arithmetic and a small number of register lookups.

FIGS. 4A-4B show this speed-up optimization to encipher a message drawnfrom the set

where the total number of messages in

is N=2″ for some n≧5 in accordance with some embodiments. The message toencipher is an n-bit string, stored in an n-bit register MainReg 404. Inone round of the Thorp shuffle presented earlier only the bit inposition [0] of MainReg was “active” in the sense that we computed theexclusive-or of that bit value with the output of the pseudorandomfunction

That same bit is still active under this speed-up optimization. What isdifferent is that four other bits of the n-bit MainReg 404 are used toindex into a speed-up register SpeedUpReg 412 (which we shall explainshortly) to yield a pseudorandom bit; this bit, as before, isexclusive-or-ed with the active bit. To populate this SpeedUpReg 412,one AES call (410) is made at the beginning of the 5-round. This AEScall in one phase returns a random 128-bit string, which is then storedin SpeedUpReg 412. The five rounds making up a phase share theSpeedUpReg 412 to obtain their subsets of bits. The arguments to saidAES call are the round number and the bits [5 . . . n] of the n-bitMainReg 404. Call this bit string Z 408. The optimization exploits thefact that the substring Z of MainReg is common to the n-bit strings inMainReg 404 in all five rounds of the phase. The call AES_(K)(P(i, Z))is keyed with key K and takes as an argument, in one embodiment, aprefix-free encoding P(i, Z) of the phase number i and the string Z.

The reason the speed-up optimization for enciphering n-bit stringsperforms five rounds and not six rounds is that each round examines adifferent 16-bit subset of the 128-bits in SpeedUpReg. Since 48 bitsremain of the 128-bits considered in the SpeedUpReg, could we not alsoperform a sixth round and extract 16 of the 48 remaining bits to indexinto? The answer is no, unfortunately: Six rounds of enciphering perphase for n-bit strings to achieve a six-fold speed-up require that thepseudorandom function output at least 6·2⁶⁻¹ bits (6·2⁵=192), which ismore than the 128 bits output by our pseudorandom function.

FIG. 4B shows the state changes of the n-bit register MainReg 404 foreach round of a group of five rounds where index j ε (0, 1, 2, 3, 4). Welabel the bits in MainReg[0], MainReg[1], MainReg[2], MainReg[3], andMainReg[4] at the beginning of round j=0 as b₀, b₁, b₂, b₃, and b₄respectively.

For example, consider the round j=0 (402) of phase 5i. In MainReg 404,bit b₀ is the active bit. Bits b₁, b₂, b₃, and b₄ are concatenated toform a new bit string B 406 (shown to the right of the n-bit register asb₁b₂b₃b₄). This bit string B 406 is used to index intoSpeedUpReg[B+16·j]=SpeedUpReg[B] 414 to obtain one pseudorandom bit.Suppose this bit string is B=1010. When j=0, then SpeedUpReg[1010]indexes into position 10 decimal of the speed-up register. Suppose thatthe pseudorandom bit SpeedUpReg[1010] is 1. Note that B has four bits,so the index B+16·j always points to a position in the (j+1)-th 16-bitblock of SpeedUpReg, ensuring that indices do not repeat across rounds.

Suppose that the pseudorandom bit SpeedUpReg[1010₂] is 1. Next, thesystem applies the combining function—in this embodiment, theexclusive-or operator—to the value (say) 1 in b₀=MainReg[0] and thepseudorandom bit SpeedUpReg[1010]=1 to produce a 1-bit output, the valued₀=0 (1 xor 1).

Next, the system concatenates the value in bit positions MainReg[1 . . .n—1] with the 1-bit output of the combining function, and stores theresult in the register MainReg.

The new state of the register MainReg consists of bits b₁, b₂, b₃, andb₄ (so that b_(i) occupies bit position [0]), followed by Z, andfollowed by d₀. In FIG. 4B, this state is shown in the next round.

To continue the example, consider the next round. Now j=1. The n-bitregister MainReg 404 has the following state: b₁b₂b₃b₄ Z d₀. Bit b₁ isthe active bit. Bits b₂, b₃, b₄, and d₀ are concatenated to form a newbit-string B 418 (shown to the right of the n-bit register). Notice thatbit d₀ is a result of the previous round and is appended to b₂b₃b₄ toform B=b₂b₃b₄d₀=0100. This bit string B 418 is used to compute the indexB+16·j=4+16=20 into the SpeedUpReg 420 to obtain the pseudorandom bitSpeedUpReg[20].

Next, the system applies the combining function to b₁=MainReg[0] and thepseudorandom bit looked up from SpeedUpReg 412 to produce a 1-bit outputd₁.

Next, the system concatenates the value in bit positions MainReg[1 . . .n—1] with d₁ and stores the result in the register MainReg.

This procedure is continued for the next three rounds numbered j=2, j=3,and j=4. The very last state shown in the figure (422) is the finalresult of applying all five rounds in this phase to the n-bit registerMainReg 404: Z=d₀d₁d₂d₃d₄. If there are more phases remaining in theshuffle, then the phase number is incremented by 1 and the next group offive rounds is computed. Note that there may be fewer than five roundsin the very last phase of the encryption process.

FIG. 5 shows a flowchart illustrating the speed-up optimization of theThorp shuffle in accordance with some embodiments. Note that thespecific arrangement of steps shown in the figure should not beconstrued as limiting the scope of the embodiments. The encipheringsystem begins by invoking the pseudorandom function

_(K) (step 502), passing in the phase number i, tweak T, and thesubstring Z=MainReg[5 . . . n−1]. The underlying implementation of thisfunction invokes AES_(K)(P(i, Z)), where P(i, Z) is a prefix-freeencoding of the phase number and Z. The AES call outputs a 128-bitstring. The system stores this string in the SpeedUpReg.

Next, the system starts an iteration (step 504) where each iteration iscalled a round and the round number j successively takes on the values0, 1, 2, 3, 4.

Next, the system sets B to be the concatenation of bit strings MainReg[1. . . (4-j)] and MainReg[(n-j) . . . (n−1)] (step 506). At first blush,it is not obvious what substrings are being concatenated, yet thesecorrespond merely to the bit positions in MainReg that do not fall intoZ. To see this, consider the following example, which borrows from FIG.4. Column 1 of Table 2 is j, the round number. Column 2 lists the indexrange 1 . . . (4-j) for the respective values of j, which extracts thefirst substring. The reason for this choice of indices is clear: in FIG.4 you can see that part of each round involves rotating the n-bitregister by 1 bit and storing the result of the exclusive-or computationin position [n−1], so in each round Z is preceded by one bit b₁ less.Column 3 shows the bit strings extracted as reg[(n-j) . . . (n−1)]. Fromone round to the next, this bit string grows by 1 bit. Thus, at indexj=0, [1 . . . 4] yields bit string b₁b₂b₃b₄, and [n . . . (n−1)] selectsthe empty string. At index j=1, [1 . . . 3] yields bit string b₂b₃b₄ and[(n−1) . . . [n−1] yields d₀. At index j=2, [1 . . . 2] yields bitstring b₃b₄ and [(n−2) . . . (n−1)] yields d₀d₁. At index j=4, [1 . . .(4-j)] selects the empty string while [n . . . (n−1)] is d₀d₁d₂d₃.

TABLE 2 Bit concatenation for speed-up optimization j 1 . . . (4 − j) (n− j) . . . (n − 1) B 0 1 . . . 4    n . . . (n − 1) b₁b₂b₃b₄ 1 1 . . . 3(n − 1) . . . (n − 1) b₂b₃b₄d₀ 2 1 . . . 2 (n − 2) . . . (n − 1)b₃b₄d₀d₁ 3 1 . . . 1 (n − 3) . . . (n − 1) b₄d₀d₁d₂ 4 1 . . . 0 (n − 4). . . (n − 1) d₀d₁d₂d₃

Next, the system consults the SpeedUpReg register (step 508) to look upthe pseudorandom bit at index [B+16·j]. Note that B has four bits andthus corresponds to an index in {0, . . . , 15}. To ensure that eachdistinct rounds select among disjoint 16-bit substrings of SpeedUpReg,we add an offset of 16·j to the integer value of B. Thus, round j=0indexes into the range [0 . . . 15], round j=1 indexes into [16 . . .31], and so on, until round j=4, which indexes into the range [64 . . .79]. In other embodiments, the SpeedUpReg need only contain 80 bits fromthe output of the pseudorandom function, since only indices from 0 to 79can occur. The system may store more than 80 bits (such as all 128) forefficiency or other reasons without affecting functionality.

Next, the system invokes the combining function that computes theexclusive-or (step 510) of the value in bit position [0] and thepseudorandom bit from step 508 and produces a new 1-bit output.

Next, the system concatenates the value in bit positions [1 . . . n−1]with the value of the new 1-bit output (step 512) to produce a new n-bitstring.

Next, the system stores the concatenated result into MainReg (step 514).

If not all rounds of the current phase are complete, the system proceedsto the next round (step 516), continuing with step 504. Otherwise, theiteration ends.

FIGS. 4 and 5 illustrate the speed-up optimization for n-bit strings inaccordance with some embodiments. As another, more realistic, example,consider FIG. 6, which shows how to encrypt a U.S. Social Securitynumber such as 348-88-2346 using a practical realization of the Thorpshuffle in accordance with some embodiments. After two rounds ofenciphering, the result is 888-23-4606. In this embodiment, only tworounds are shown but there can be as many rounds as needed to ensurethat the Thorp shuffle mixes the “deck” of U.S. Social Security numberswell.

Let us look at this enciphering more closely. U.S. Social Securitynumbers are enciphered using a tweaked cipher

:

×

×

→

where

is the key space of the underlying pseudorandom function, and

is a tweak space of byte strings, and

is the space of all U.S. Social Security numbers. The previousembodiment is modified to accommodate base-10 characters instead ofbinary characters as follows. First, the n-bit register is replaced witha nine-character register. Second, the exclusive-or binary operation(which is really modulo-2 addition) is replaced with modulo-10 addition.Third, the pseudorandom function

_(K) returns a base-10 character.

Suppose that a U.S. Social Security number 348882346 is stored in aregister called MainReg 602. The character string is divided into twoparts: MainReg[0] and MainReg[1 . . . 8]. In round 1 (612), the systeminvokes the pseudorandom function

_(KT) 604, passing in as arguments the round number 0 and the value ofMainReg[1 . . . 8]=48882346. Suppose the invocation

_(K)(0, 48882346) 604 returns the character 7 (one may think of this asrolling a ten-sided die). We compute the modulo-10 (606) addition ofthis character with the value in character position [0] to get 3+₁₀7=0.Next, we concatenate the value in MainReg[1 . . . n−1] (48882346) withthe value of the output of the modulo-10 addition, 0, to produce a newcharacter string, 488823460, and store it in register MainReg. AfterRound 1 (612), 348882346 has been encrypted to the intermediate value488823460, as shown by the state of the 9-character register 610.

We follow the same procedure outlined above for each subsequent round.For example, assuming

_(K)(1, 888234606)=2, round 1 (618) yields the intermediate encryption888234606 of 348882346 (616). This example illustrates how the describedenciphering scheme can be used to encrypt messages in a small domainsuch as U.S. Social Security numbers to ciphertexts in the same domain.Since

_(KT) is bijective, it is guaranteed two encrypted Social Securitynumbers only collide if their corresponding plaintexts are identical.

Note that the process of enciphering n-digit decimal strings can be spedup in a manner similar to that which was illustrated in FIG. 4 for n-bitinput strings. Rather than achieving a fivefold speed-up in the n-bitstring case (measured in the number of AES calls), an embodiment fordecimal strings achieves a twofold speed-up. FIG. 7 illustrates theprocess for applying the speed-up optimization to n-decimal-digitstrings in accordance with some embodiments. (Why phases comprise tworounds over the domain of decimal-digit strings and not five rounds asfor bit strings will become clear in a moment.)

FIG. 7 shows this speed-up optimization to encipher a message drawn fromset

where the total number of messages in set

is N=10″ messages for some n≧2 in accordance with some embodiments. Eachphase consists of two rounds. The message to encipher is ann-decimal-digit input string (712) stored in an n-decimal-digit registerMainReg 714.

To populate this SpeedUpReg 710, one AES call (704) is made at thebeginning of each phase as part of pseudorandom function

_(K) 702. This AES call (704) returns a pseudorandom 128-bit string.Since the SpeedUpReg stores decimal-digit strings, the system applies aconversion function that converts the 128-bit string to thecorresponding 39-decimal-digit string, which is then stored inSpeedUpReg 710. The two rounds making up a phase share the SpeedUpReg710 to obtain their subsets of bits. The decimal-digits MainReg[2 . . .n] of the n-decimal-digit MainReg 714 are a decimal string Z 718. Thecall AES_(K)(P(i, Z)) is keyed with key K and takes as an argument, inone embodiment, a prefix-free encoding P(i, Z) of the phase number i andthe string Z. Similar to the binary case, the speed-up optimizationexploits the fact that substring Z is common to the n-decimal-digitstrings contained in MainReg 714 during both rounds of the currentphase. In particular, in one embodiment, AES is keyed with K and appliedto a prefix-free encoding P(i, Z) of the phase number i and the stringZ.

In each phase of the encryption of decimal-digit strings using thespeed-up optimization for enciphering decimal-digit strings, the tworounds examine disjoint 10-digit subsets of the 39-decimal digits inSpeedUpReg. Accordingly, 19 digits of the 39-decimal digits inSpeedUpReg remain unused. Could we not also perform a third round andextract 10 of the 19 remaining decimal digits to index into?Unfortunately, this does not work. Over the course of three consecutiverounds of enciphering, the three states of n-digit register MainRegcontain only a common (n−3)-digit substring Z To assure independentpseudorandom characters, we would therefore need to index with a 3-digitstring B. However, there are 100 possible values for B, so that thepseudorandom function would need to provide at least 3·10³⁻¹=300 digits,which is more than the 38 decimal digits obtained from the 128-bitstring output we assume. In general, enciphering strings consisting of nbase-k digits in phases comprising m rounds requires the pseudorandomfunction to output at least m·k^(m−1) base-k digits.

FIG. 7 shows the state changes of the n-decimal-digit register MainReg714 for rounds j=0, 1 of some phase i. We label the contents of digitpositions [0] as b₀ and [1] as b₁, shown cross-hatched in FIG. 7.

For example, consider the round 2i+j where j=0 (716). In MainReg 714,bit b₀ is the active bit, which we assume to be 5. Bit b₁ is extractedto form a new bit string B 720 (shown to the right of then-decimal-digit register as B=b₁). This bit string B, say B=6, is usedto index into the SpeedUpReg 710 to obtain the pseudorandom base-10character SpeedUpReg[B+10·j]=SpeedUpReg[6]. Suppose that thepseudorandom decimal digit at that position is 9. Note that with thisindex formula, both rounds in the phase use 10 different decimal-digitsof the 39 decimal digits in the SpeedUpReg 710.

Next, the system combines the value in decimal-digit position [0] withthe pseudorandom decimal digit looked up from the SpeedUpReg 710 toproduce a 1-decimal-digit output, which we denote by c₀. The combiningfunction is simply modulo-10 addition, so c₀=9+₁₀ 5=4.

Next, the system concatenates the value in decimal-digit positionsMainReg[1 . . . n−1] with c₀ and stores the concatenation result intothe register MainReg 714.

The new state of the register MainReg 714 in round j=0 is b₁Z c₀. Tocontinue the example, consider the next round where j=1. Then-decimal-digit register MainReg 714 contains b₁Z c₀. Digit b₁ is theactive digit. Digit c₀ is extracted to form a new string B 726 (shown tothe right of the n-decimal-digit register MainReg). This string B 726 isused to compute the index B+10·j=14 into SpeedUpReg 728 to obtain onepseudorandom decimal-digit from the next 10-digit subset of the speed-upregister.

Next, the system combines the value in decimal-digit position [0] withthe pseudorandom decimal-digit looked up from the SpeedUpReg 710 toproduce a 1-decimal-digit output c₁. The combining function is againmodulo-10 addition.

Next, the system concatenates the value in decimal-digit positions [1 .. . n−1] with the value of the 1-decimal-digit output of the combinefunction, and stores the concatenation result into the register MainReg.

The very last state shown in the figure is the end result of applyingone two-round phase to the n-decimal-digit register 730: Zc₀c₁. If thereare more phases remaining in the shuffle then the phase number isincremented by l and the next group of two rounds is computed. (Notethat there may be fewer than two rounds in the very last phase).

FIG. 8 shows a flowchart illustrating a more general procedure ofenciphering a message represented as an n-character string where eachcharacter is base-k digit in accordance with some embodiments. Note thatthe specific arrangement of steps shown in the figure should not beconstrued as limiting the scope of the embodiments. These embodimentsinclude, but are not limited to, n-bit input strings, n-decimal-digitinput strings, and n-hexadecimal-digit input strings.

The enciphering system begins the process by receiving (step 802) themessage (a string of n base-k digits), the tweak (a byte string), andthe key K. Each character is a base-k digit.

Next, the system stores the n-character input into an n-character firstregister MainReg (step 804).

Next, the enciphering system iterates over the first register MainReg ina numbered sequence of phases (step 806), modifying the state ofMainReg. For each phase, the system performs the following.

Next, the system invokes the pseudorandom function

_(K) (step 808) with two arguments: the phase number i and the valueMainReg[1 . . . n−1] together with the phase number p.

_(K) returns a pseudorandom base-k character string. Note that thispseudorandom function outputs a pseudorandom base-k character string oflength l.

Next, the system selects at least m·k^(m−1) characters (step 810) forsome m≧2 from the pseudorandom base-k character string output of thepseudorandom function

_(K) and stores these selected characters in a second registerSpeedUpReg. The second register SpeedUpReg behaves as the same speed-upregister shown in FIG. 4 and FIG. 7.

Next, the system iterates over the first register a sequence of m rounds(step 812). The last phase contains fewer rounds if the total number ofrounds is not a multiple of m.

Next, the enciphering system applies a choice function (step 814) to thefirst register MainReg, the second register SpeedUpReg, and the roundnumber to produce a pseudorandom base-k character output.

Next, the enciphering system combines the value in character position[0] of the first register and the pseudorandom base-k character outputby the choice function to produce a new base-k character (step 816).Note that, in some embodiments, this combining function is modulo-kaddition.

Next, the enciphering system (step 818) concatenates the value incharacter positions MainReg[1 . . . n−1] of the first register with thevalue of the new base-k character output and stores the result into thefirst register MainReg.

If there are more rounds (step 820), then the enciphering system goes tostep 814 and continues with the process. Otherwise, if there are morephases (822), then the enciphering system goes back to step 808 andcontinues the process with the next phase.

When all phases are complete, the input string has been successfullyenciphered. The ciphertext is contained in the first register MainReg.

FIG. 9 shows a flowchart elaborating the choice function given in step814 of FIG. 8 in accordance with some embodiments. Note that thespecific arrangement of steps shown in the figure should not beconstrued as limiting the scope of the embodiments. The encipheringsystem begins by invoking the choice function using the first registerMainReg, the second register SpeedUpReg, and the round number asarguments to the function (step 902). What the system is doing,intuitively, is taking a pseudorandom character string—the output of thepseudorandom function stored conveniently in the SpeedUpReg—and“choosing” from a subset of the pseudorandom character string somecharacter string that is, therefore, also pseudorandom.

Next, the enciphering system (step 904) extracts the (m−1) base-kcharacters string B from MainReg, where in round j, B is theconcatenation of characters [1 . . . (m−1-j)] and characters [(n−j) . .. (n−1)] of MainReg.

Next, the enciphering system (step 906) interprets the string of m−1base-k characters as a decimal number B and returns character[b+k^(m−1)·j] of the SpeedUpReg to produce a pseudorandom base-kcharacter output.

The following table gives some valid values for k, m, l satisfying theparameter constraint m·k^(m−1)≦l.

TABLE 3 Example parameter sets Radix k PRF output length l Phase lengthm 2 128 5 3 65 3 8 16 2 10 39 2 16 8 2

The foregoing descriptions of embodiments have been presented forpurposes of illustration and description only. They are not intended tobe exhaustive or to limit the present description to the formsdisclosed. Accordingly, many modifications and variations will beapparent to practitioners skilled in the art. Additionally, the abovedisclosure is not intended to limit the present description. The scopeof the present description is defined by the appended claims.

What is claimed is:
 1. A key-dependent method for reversibly encipheringan input string to an output string having the same length as the inputstring, comprising: receiving the input string; storing the input stringinto a register; modifying the register in a sequence of reversible andkey-dependent phases, wherein each phase is functionally equivalent totwo or more rounds of Thorp-shuffle encryption, and wherein each phaseinvolves: invoking a pseudorandom function that outputs a pseudorandomstring; iteratively modifying the register in a sequence of two or morerounds, wherein each round entails using a different portion of thepseudorandom string to direct the modification of the register; andproviding the contents of the register as an output, after the sequenceof phases completes.
 2. The method of claim 1, wherein receiving theinput string also involves receiving a key and a tweak; and whereinapplying the pseudorandom function involves using the key and the tweakto determine the pseudorandom function.
 3. The method of claim 1,wherein the pseudorandom function is implemented by the CBC-MAC of theAdvanced Encryption Standard (AES).
 4. A method for enciphering an inputto produce an output, comprising: receiving the input, wherein the inputis n characters in length and wherein each character is a base-k digit,for some n≧2 and k≧2; storing the input into an n-character firstregister; modifying the first register in a sequence of two or morenumbered phases, wherein each phase involves: partitioning the firstregister into a first and second portion, the first portion comprisingm≧2 characters and the second portion comprising the remaining n−mcharacters; applying a pseudorandom function to the phase number and thesecond portion, wherein the pseudorandom function outputs a pseudorandomcharacter string t; obtaining from the pseudorandom string m·k^(m−1)base-k characters and storing them in a speed-up register; using thefirst portion of the first register to select characters from thespeed-up register and combining the selected characters with the firstportion of the first register to obtain a new right-hand side consistingm base-k characters; replacing the first register by the concatenationof the second portion of the first register and the new right-hand side;and providing the contents of the first register as an output, after thesequence of phases completes.
 5. The method of claim 4, whereinconcatenating two character strings involves: joining a first characterstring of x characters in length to a second character string of ycharacters in length to produce a new character string of x+y charactersand wherein the new character string contains the characters of thefirst character string followed by the characters of the secondcharacter string.
 6. The method of claim 4, wherein receiving the inputinvolves receiving a key and a tweak; and wherein applying thepseudorandom function involves using the key and the tweak to determinethe pseudorandom function.
 7. The method of claim 4, wherein thepseudorandom function is constructed from the CBC-MAC of the AdvancedEncryption Standard (AES).
 8. The method of claim 7, wherein at leastone AES call is performed per pseudorandom function invocation.
 9. Themethod of claim 4, wherein said input is a Social Security number or acredit-card number or a Private Account Number; and enciphering theinput into a string of the same length and drawn from the same characterset simplifies adding encryption to a system with legacy data, becausefield types for the legacy data need not be changed when the data isenciphered.
 10. A non-transitory computer-readable storage medium forstoring instructions that when executed by a computer cause the computerto perform a method for enciphering an input to produce an output,comprising: receiving the input, wherein the input is n characters inlength and wherein each character is a base-k digit, for some n≧2 andk≧2; storing the input into an n-character first register; modifying thefirst register in a sequence of two or more numbered phases, whereineach phase involves: partitioning the first register into a first andsecond portion, the first portion comprising m≧2 characters and thesecond portion comprising the remaining n−m characters; applying apseudorandom function to the phase number and the second portion,wherein the pseudorandom function outputs a pseudorandom characterstring; obtaining from the pseudorandom string m·k^(m−1) base-kcharacters and storing them in a speed-up register; using the firstportion of the first register to select characters from the speed-upregister and combining the selected characters with the first portion ofthe first register to obtain a new right-hand side consisting m base-kcharacters; replacing the first register by the concatenation of thesecond portion of the first register and the new right-hand side; andproviding the contents of the first register as an output, after thesequence of phases completes.
 11. The non-transitory computer-readablestorage medium of claim 10, wherein concatenating two character stringsinvolves: joining a first character string of x characters in length toa second character string of y characters in length to produce a newcharacter string of length x+y number of characters and wherein the newcharacter string contains the characters of the first character stringfollowed by the characters of the second character string.
 12. Thenon-transitory computer-readable storage medium of claim 10, whereinreceiving the input involves receiving a key and a tweak; and whereinapplying the pseudorandom function involves using the key and the tweakto determine the pseudorandom function.
 13. The non-transitorycomputer-readable storage medium of claim 10 wherein the pseudorandomfunction is constructed from the CBC-MAC of the Advanced EncryptionStandard (AES).
 14. The non-transitory computer-readable storage mediumof claim 13, wherein at least one AES call is performed per pseudorandomfunction invocation.
 15. The non-transitory computer-readable storagemedium of claim 10, wherein said input is a Social Security number or acredit-card number or a Private Account Number; and enciphering theinput into a string of the same length and drawn from the same characterset simplifies adding encryption to a system with legacy data, becausefield types for the legacy data need not be changed when the data isenciphered.
 16. A system for enciphering an input to produce an output,comprising: a receiving mechanism configured to receive the input,wherein the input is n characters in length and wherein each characteris a base-k digit, for some n≧2 and k≧2; a storing mechanism configuredto store the input into an n-character first register; a computationmechanism configured to modify the first register in a sequence of twoor more numbered phases, wherein each phase involves: partitioning thefirst register into a first and second portion, the first portioncomprising m≧2 characters and the second portion comprising theremaining n−m characters; applying a pseudorandom function to the phasenumber and the second portion, wherein the pseudorandom function outputsa pseudorandom character string; obtaining from the pseudorandom stringm·k^(m−1) base-k characters and storing them in a speed-up register;using the first portion of the first register to select characters fromthe speed-up register and combining the selected characters with thefirst portion of the first register to obtain a new right-hand sideconsisting m base-k characters; replacing the first register by theconcatenation of the second portion of the first register and the newright-hand side; and an outputting mechanism configured to provide thecontents of the first register as an output, after the sequence ofphases completes.
 17. The system of claim 16, wherein concatenating twocharacter strings involves: joining a first character string of xcharacters in length to a second character string of y characters inlength to produce a new character string of length x+y number ofcharacters and wherein the new character string contains the charactersof the first character string followed by the characters of the secondcharacter string.
 18. The system of claim 16, wherein receiving theinput involves receiving a key and a tweak; and wherein applying thepseudorandom function involves using the key and the tweak to determinethe pseudorandom function.
 19. The system of claim 16 wherein thepseudorandom function is constructed from the CBC-MAC of the AdvancedEncryption Standard (AES).
 20. The system of claim 19, wherein at leastone AES call is performed per pseudorandom function invocation.
 21. Thesystem of claim 16, wherein said input is a Social Security number or acredit-card number or a Private Account Number; and enciphering theinput into a string of the same length and drawn from the same characterset simplifies adding encryption to a system with legacy data, becausefield types for the legacy data need not be changed when the data isenciphered.
 22. A key-dependent method for reversibly enciphering aninput string into an output string having the same length as the inputstring, the method comprising: storing the input string in a register;modifying contents of the register in a sequence of reversible andkey-dependent phases, wherein each phase is functionally equivalent totwo or more rounds of Thorp-shuffle encryption, and wherein saidmodification in each phase is directed by a multi-character output of apseudorandom function; and upon completion of said modification,providing the modified contents of the register as an output string.